Industrial Control System System Protection Profile ICSSPP

1
Industrial Control System System Protection
Profile (ICS-SPP)

• Process Control Security Requirements Forum
• Ron Melton Murray Donaldson
• December 17, 2003

2
Objectives of Todays Discussion

• Introduce concept of a system protection profile
  (SPP)
• Introduce the Industrial Control System System
  Protection Profile (ICS-SPP)
• Answer questions about the ICS-SPP
• Gather feedback regarding the ICS-SPP
• Gather feedback on relative priority of critical
  assets identified in the ICS-SPP

3
What is a System Protection Profile

• An extension of the ISO 15408 Protection Profile
  to systems
• The System Protection Profile (SPP) integrates IT
  and non-IT security requirements for a system
• Non-IT security requirements include
• Operating procedures
• Physical protection
• Etc.
• The system protection profile and subsequent
  system security target form the basis for system
  accreditation during the evaluation phase

4
SPP vs. PP

• SPP
• Included IT and non-IT security requirements
• Considers an entire system and addresses
  requirements for the entire system lifecycle

• PP
• Includes only IT security requirements
• Focused on a specific product or component (e.g.
  an operating system)

5
SPP vs. SST

• SPP
• Logical / conceptual design
• Defines an acceptable level of residual risk
• Many possible implementations and approaches
• Prepared by the system owner

• SST
• Physical design
• Describes how the acceptable of residual risk
  will be achieved
• Elaborates a specific implementation
• Prepared by system developer / integrator

6
What is the ICS-SPP

• A generic system level protection profile
• A starting point for
• More specific system protection profiles (e.g.,
  SCADA, PLC, etc.)
• The basis for a System Security Target (SST) for
  a specific instance of an industrial control
  system
• A starting point for component protection
  profiles (PPs) e.g., industrial controller
  authentication, sensor authentication, etc.

7
ICS-SPP Relationships
Component PPs
System PPs
System STs
Component 1 PP
Component 1 PP
8
ICS-SPP Contents

• 1 Introduction
• 2 System Target of Evaluation (STOE)
  Description
• 3 STOE Security Environment
• 4 Security Objectives
• 5 Security Requirements
• 6 Application Notes
• 7 - Rationale

9
ICS-SPP Process

• Identify critical assets
• Identify threats to critical assets
• Identify critical asset vulnerabilities relative
  to threats
• Identify threat impacts to critical assets
• Assess risk
• Define security objectives to counter threats and
  manage risk
• Identify functional requirements that achieve
  security objectives
• Document rationale (reasoning) behind the
  functional requirements and security objectives
• Describe the STOE

10
Risk Assessment

• Risk management is the foundation for a system
  protection profile
• Risk is a function of the likelihood of a given
  threat-sources exercising a particular potential
  vulnerability, and the resulting impact of that
  adverse event on the organization NIST
  SP800-30
• Residual Risk The degree of risk remaining
  after implementing security measures
• The objective of a Common Criteria based System
  Evaluation is to verify that the level of
  acceptable residual risk defined in a System
  Protection Profile has been achieved

11
Security Objectives

• Boundary protection
• User authentication
• Device authentication
• System configuration data backup
• Data authentication
• Password management
• Backup power (a security objective for the
  environment)

12
Requirements

• Functional
• IT
• Non-IT
• Assurance
• IT
• Non-IT
• Comments or feedback?

13
System Target of Evaluation
14
Remaining Work for the ICS-SPP

• Refine risk assessment
• Identify assurance requirements
• Prepare additional application notes

15
Questions for PCSRF

• We have identified the following as critical
  assets
• Actuators
• Sensors
• Controllers
• Human Machine Interfaces (HMIs)
• Remote Diagnostics and Maintenance
• Communications Infrastructure
• The Controlled Process (including the inputs and
  outputs to the process)
• Process control information (signals and
  instructions)
• The process control business or financial
  information
• Is this list correct?
• Is there a priority to this list?

16
Why the preceding question?

• One dimension of risk analysis is the relative
  impact to critical assets if a threat is
  successfully realized. Currently we are treating
  all critical assets as equal priority or impact

17
References / Background Material

• FIPS 199
• NIST SP 800-30
• Critical Infrastructure Protection Challenges
  in Security Control Systems, GAO-04-140T,
  http//www.gao.gov/cgi-bin/getrpt?GAO-04-140T
• Security Capabilities Profile for Industrial
  Control Systems, PCSRF, September 17th, 2003
• Concerns About Intrusions into Remotely
  Accessible Substation Controllers and SCADA
  Systems, Paul Oman and Edmund O. Schweitzer III
  and Deborah Frincke, Proc. 27th Annual Western
  Protective Relay Conferences. Oct 2002